There is a fundamental risk to a subscription-based business model, which is what Adobe.com has moved to. If you want to charge your customers monthly, like a utility, to use your products or services, then necessarily you have their contact info, credit card numbers, etc. That makes for quite an attractive target for compromise!

Clearly the data in question should be secured very carefully — encrypted, access controlled (e.g., using a privileged access management system, monitored, etc. Something in these controls clearly failed at Adobe.

This is a warning to customers to beware sharing CC and similar data with firms that have to retain the indefinitely. It is also a warning to firms that have such practices to be incredibly careful.

PCI-DSS includes lots of good guidelines about how to protect such data — I wonder which rules Adobe managed to not follow?